Cisco VPN :: 2821 / Failover VPN Between ASA5505 And 2 X IOS Routers
Sep 25, 2012
I have an issue where we have a single ASA5505 [soon to be active/standby with single ISP] connecting to HQ where there are 2 x Cisco 2821's. Each 2821 router has it's own connection to the internet running BGP and each router is setup to terminate IPSEC VPN's from the ASA. The ASA has a backup VPN configuration with no IP SLA configuration to track if the Primary IPSEC endpoint is alive. Keep alives are set and the VPN does failover to the backup.When the primary 2821 internet connection fails the ASA fails over to the backup 2821 and everything works a dream. However when the primary internet link re establishes to the primary 2821 the ASA does not fail back to the primary 2821 it stays on the backup 2821 and all is broken as the remote site starts forwarding traffic out the BGP default route - which is back via the primary connection...How do I fix this so that the ASA tracks the IP of the primary router to failback without manual intervention - clearing isakmp and ipsec sa's?The other issue is the ASA does not allow traffic to be orignated from the 2821 end of the VPN. You have to establish traffic from behind the ASA for the IPSEC sa to be created.
View 1 Replies
ADVERTISEMENT
Mar 2, 2011
We have multiple cisco routers and most of them have dual WAN connections thru different ISPs. So, we use IP SLA monitor with tracking object s to monitor each ISP availability/reliability and switch routing accordingly ( by IOS). So far, it has been working ok. However, recently, we had some ISP high latency and the connection to one ISP will be so slow but the IOS keep seeing it as UP, thus sending traffic thru it. So, I tried to change around the threshold numbers around with no luck. Is there any configuration/commands or tricks that can do the job here? I don't want the users to be the one to detect the Internet slowness and have me manually shut down an interface or change the static routes metrics. here is a sample of my config:
ip sla 1 type echo protocol ipIcmpEcho x.x.x.x isp 1 gateway threshold 3 frequency 5ip sla monitor schedule 1 life forever start-time now
ip sla 2 type echo protocol ipIcmpEcho x.x.x.x isp 2 gateway threshold 3 frequency 5ip sla monitor schedule 2 life forever start-time now
[Code]......
View 1 Replies
View Related
Mar 10, 2013
Most of my remote site is running MPLS primary (2821) and DMVPN (881) as a backup solution..Some of my sites run MPLS primary on 2821 and site to site as back up on 881 router.. MPLS here means the router that connected me to MPLS cloud of provider, not running any mpls..it is easy that way for us..
When MPLS is down,
The way s2s tunnel gets triggered is via HSRP on LAN i.e, the HSRP VIP is served by the 881..At the far end data center, the MPLS route of remote site is purged out, there is static route with higher admin distance will get into routing table.
Remote site A LAN----- MPLS Router-----MPLS cloud-------MPLS router----------------Data Center LAN
Remote site A LAN----- DSL Router-----internet cloud--------Data center ASA----------Data Center LAN
In the MPLS plus s2s model, I often get into problem...the problem is how do I manage the 881 router via snmp, ccm , tacacs or any other management tools? There is a routing issue in hand that I canno route to and from to the mgt address of DSL. I cannot reach the loopback or mgmt vlan of the DSL router when the MPLS is active…but this will disallow all the management stuff we do on the DSL router.
View 1 Replies
View Related
Jul 2, 2012
Currently I have a network that looks like this:
ASA5510 - - - Internet - - - ASA5510
| |
EIGRP EIGRP
| |
2821 -----------MPLS----------1841
BGP
The MPLS connection is currently down, I'm trying to run a failover Site-to-Site VPN over the internet. All of the examples I've read have both connections involved in the failover coming out of one device. Since I'm not working that way, what is going to be the best way to failover? Do I need to set up some sort of IP SLA in the config? Or can I somehow weight routes in EIGRP in a way that the connection will failover from Internet to MPLS when the MPLS goes down and vice versa when the MPLS connection comes back up?
View 2 Replies
View Related
Jun 13, 2012
Currently I'm looking for a way to failover our internet connection from one site to another site over our MPLS line, should that internet connection go down.
My layout: Internet > Cable internet modem (Site B) > ASA 5510 (Site B) > 2821 Router (Site B) > MPLS Line > 2821 Router (Site A) > ASA5510 (Site A) > ISP provider internet router (Site A) > Internet
Facts:Site B is the one with the internet issues.The MPLS line is routed using BGP. [URL]
View 46 Replies
View Related
Apr 2, 2013
I'm a bit perplexed atm with trying to set up multiple failover routes on a 2821 router. Let me say that I have more experieince in a switched network as routing is seldom required where I work atm. Here's my problem. I have a routing table set up as follows but only the primary routes work. The failover routes will not kick in once the primary route is not there.
ip route 10.32.11.0 255.255.255.0 128.32.8.11
ip route 10.32.11.0 255.255.255.0 128.32.24.11 100
ip route 10.32.12.0 255.255.255.0 128.32.8.12
ip route 10.32.12.0 255.255.255.0 128.32.24.12 100
ip route 10.32.14.0 255.255.255.0 128.32.8.14
ip route 10.32.14.0 255.255.255.0 128.32.24.14 100
Ip addresses are not exact but it gets the point across.
Why the failover routes are not failing over? The failover routes work if I remove the primary route from the config.
View 9 Replies
View Related
Oct 17, 2011
Client has an ASA5505 anchoring an MPLS network. One of their branch offices is experiencing frequent circuit outages due to theft of copper lines. I am looking at an 881G with wireless aircard as a backup solution and creating a VPN tunnel to the ASA but am unsure about how to handle routing on the ASA. There will already be a route for the branch subnet for the MPLS network.
View 2 Replies
View Related
Feb 24, 2011
We have a network topology like 2821 router with MPLS link and 881 Router with DSL Connection(DMVPN).
MPLS Link runs in BGP
DSL Connection runs in EIGRP.
So the existing scenario is like When ever MPLS link goes down Traffic will be moved to DSL connection. and once it come again it will be moved back to DSL using HSRP we are doing this. in this case most of the times my DSL connection will be in standby mode.Now my management decided to use both the links in active state and want to do some load balance between the links for some specific traffic like Internet, WSUS Updates, Antivirus updates need to go through the DSL connection even the MPLS is up and running.
View 2 Replies
View Related
Feb 13, 2012
I have 2 Cisco routers 3945. Use HSRP for links failover. Does exist any possibility (any protocol) which makes routers configuration's automatic synchronization (as failover for ASA firewalls)? I mean, if I will make any configuration changes on the Active router, automticly will taken this changes by the Standby router.
View 3 Replies
View Related
Feb 20, 2011
I’m currently training to take my CCNA, So for the reason I’m here, I have just been asked to take over the company network.And I need to know how I go about configuring some base level routers.I have 3 remote sites and 1 main site, all these routers are using 857’s, with a VPN tunnel between them, this is running all OK and working fine,But my boss has decided to have a second ADSL line installed in the main site for failover.How do I go about configuring this, ie how do the VPN’s terminate on the other router when the main one goes down?
View 1 Replies
View Related
Dec 28, 2011
Is it possible to have this setup on RV016?
WAN1: VOIP traffic (either by port or IP) + failover for WAN 2 WAN2: all other traffic + failover for WAN1 WAN3: failover for WAN1 & WAN2 with connection on demand
View 0 Replies
View Related
Mar 7, 2012
I'm looking to use 861s at few remote sites connecting to a 881 in the main office using Easy VPN. If I was to get 2 ISPs at the main office, can I configure it in a way that if the primary WAN failsover to the secondary, the VPN tunnels from remote sites will also failover?
Would you recommend an ASA 5505 at main office over the 811?
View 1 Replies
View Related
Jan 27, 2012
We are looking at purchasing and RV042 soon and have one cruitcial question. I am looking at having two internet connections running into the RV042. The only load balancing is going to be that all the VOIP traffic will go through one connection (eg WAN2) and then have all other traffic (such as web and email) through WAN1.
I am looking to have it so that if one of the internet connections goes down then it will failover EVERYTHING to the one that is working so both the VOIP and all the other traffic share the same connection until both WANs then go back online.
View 3 Replies
View Related
Aug 6, 2012
I have an issue with configuring the VPN Stateful failover between two cisco routers 3845. The stateful HA is not up.
Below is the topology
Configuration on HA-1
interface GigabitEthernet0/0
ip address 194.170.9.183 255.255.255.240
ip accounting output-packets
duplex auto
speed auto
[code]....
View 1 Replies
View Related
Sep 13, 2012
I was wondering how does failover works on Cisco Small Business RV016. Specifically, I am interested when one WAN line stop working, and all the computers in the LAN start using another line. Does it means that IP addresses of the computers in the LAN will change, or they stay the same? If they change can I set it up that they always stay the same no matter which input WAN they are using?
View 1 Replies
View Related
May 7, 2011
IPSEC VPN between 2851 routers. I have 4 routers 2 at each site using HSRP on the front and I need to encrypt traffic between. My concern is the failover portion.
View 2 Replies
View Related
Apr 16, 2012
RV042 in Router mode.WAN1 preferred.With Smart Link it seems to work to a point.When WAN1 fails, it fails over to WAN2.But then it gets stuck on WAN2 and I have to manually switch to WAN2 preferred and then back to WAN1 preferred to get WAN1 connection to return.The test IP addresses should be just fine as set.
Is there something I should be doing differently?
View 8 Replies
View Related
May 28, 2013
Have a 1921 that has 3 eth connections (1 LAN, and 2 WAN) - I have 2 seperate OSPF processes (2 areas) on the WAN Ints - both upstream WAN's are sending defaults back to the 1921, and the 1921 is sending it's LAN range to them.
I have ip ospf cost 150 set on the "failover" WAN connection interface (Both on the 1921 and upstream), but the 1921 is preferring the default route from the "failover"?
The default routes are both being received by the 1921, but it's preferring the "failover" Int with the ip ospf cost 150 configured?
View 14 Replies
View Related
Feb 27, 2013
I've been trying to connect L2L between RV180 and ASA5505 but no succeed.I can do RV180 to RV180 l2l with one of it on Aggresive mode. working configuration sample of RV180 L2L ASA5505?
View 1 Replies
View Related
Feb 20, 2012
I have a Cisco ASA 5505 and a Cisco/Linksys RV042. I would like to crerate a site to site VPN between them, and from what I've read it is possible. So I set up the connection on both routers but When I click on connect on the RV042 nothing happens. I've made sure that the encryption settings are the same on both routers but I can't get them to connect to each other. I think the problem may be with the RV042 as the ASA has other site to site VPN connections without any proble (although they are on other ASAs). I saw this thread [URL] but I'm not sure how to disable phase 2 on the RV042 or enable it on the ASA.
what setting I need to change on either router to make the site to site work?
View 2 Replies
View Related
Jul 10, 2012
I am planning to build a site to site vpn tunnel, connecting 2-3 satellite office to the main office.After searching the product, I really don't understand the difference between models like the ASA5505 and RV042.Can I need to use ASA5505 in the main office while RV042 in the stallite offices? Or can I use RV042 (or upper) in all the office and it is enough for vpn tunnel?If it is the case, what is the benefit of ASA series over the RV series?
View 1 Replies
View Related
Jan 23, 2012
I am building a site to site VPN from our headquarters to a customer. I am using an ASA 5520. The customer is using Cisco 3945 routers. The customer has two VPN termination points. The customer requests that we make one of their termination points the primary VPN connection and make the other termination point the backup in the event that the primary VPN fails. How do I configure this on the ASA? Does the below configuration fulfill this goal?
View 3 Replies
View Related
Dec 6, 2011
I have router cisco 2821 wit IOS version 12.4(25d) I also have Cisco AIM-VPN/SSL-2 Encryption Module for this router.I inserted this module in AIM slot 0 but can not see it. [code] What should I have to change to enable this module?
View 2 Replies
View Related
Mar 27, 2013
I have an existing C2821 router (2 onboard GE + 1 HWIC-2FE) currently. Like to add another 1 HWIC-2FE. Saw this doc on Cisco website which states Max of 2 HWIC-2FE for Cisco2821. Want to confirm this is indeed so as another link states max of 1 HWIC-2FE.
View 3 Replies
View Related
Jan 19, 2013
I have configured Clientless SSL VPN on 2821 router with IOS12.4//Its running fine and I am able to open local portals I have mentioned in the SSL URL List.
View 1 Replies
View Related
Aug 11, 2012
I have a cisco 2821 router and it has an advanceip image in the flash each time on reboot it gives the message software forced crash and checksum error and finally goes into rommon. i tried xmodem and tftpdnld -r but same problem persists. I even changed the CF with a working router's flash but the same problem occurs.I also loaded an ip base image of about 13Mb size and all the same problem repeats with it.
View 10 Replies
View Related
Aug 16, 2012
want to view the Log on the Cisco 2821 router for any issue occur.
View 2 Replies
View Related
Apr 6, 2011
I'm trying to install ios into my cisco 2821 which boots in rommon. Apparently the ios is corrupted, I have set the IP_ADDRESS, IP_SUBNET_MASK,DEFAULT_ GATEWAY, TFTP_SERVER, TFTP_FILE but anytime I issue the 'tftpdnld' and confirm to continue, the process will time out give this error message" ARP: address resolution for 10.203.8.49 timed out.ARP failed with failure code 1. TFTP transfer aborted.
View 6 Replies
View Related
Jan 23, 2012
i have 2 routers, 2821 and 2811. they are connected via GRE over IPsec, and all of the traffic from 2821 is being routed to 2811 with a default route to its tunnel interface. 2821 needs to access internet through 2811 valid ip address, my question is that how should i nat the traffic on 2811 so that 2821 can access the internet?
View 1 Replies
View Related
Feb 17, 2012
I get from my ISP 50 Mbps upload/download link via BGP. I tried to test today the speed by downloading around 10 torrents simultaneously and I use PRTG Network Monitoring to view port traffic speed. According to PRTG Reports the maximum rate of speed I get is 20 Mbps. I use Cisco 2821 ISR on my side.
View 6 Replies
View Related
Mar 16, 2011
I have multiple VPN endpoints setup on our Cisco 2821, an SSL VPN, a site-to-site VPN, and a Web VPN for windows users. For whatever reason, the web vpn service periodically fails. The only way I've been able to bring it back up is to reload the router. Is it possible to restart the service itself?
View 3 Replies
View Related
Nov 7, 2010
We have around 20 VPN tunnel via Cisco Router 2821 (Intranet) and around 30 VPN tunnel via Cisco ASA (Internet) with 3rd Parties/Vendors.I wanna know if there is any monitoring tools from Cisco or any others providers who can give me information/trend report about VPN tunnel Up/Down time, Volumns of Traffic, Protocols etc.
View 2 Replies
View Related
Nov 25, 2012
I have a DMVPN network with 2 hubs (2821's). This setup is used for VoIP applications over the Internet for teleworkers. At the main hub site I used to have only 1 Internet feed which was DSL with a static IP. Now I have 2 WAN feeds for this site - 1 FTTB w/ PPPoE & the DSL with static IP. Since this site also hosts a PRI, I want all voice communications to go through the FTTB link instead of the DSL for obvious reasons, but keep the DSL as DMVPN Hub for all NHRP lookups as this link has a static IP address & is very stable. We originally put the PRI router as a DMVPN spoke which connected through the FTTB link, with another router acting as the DMVPN hub on the DSL link. This was obviously a waste of machinery. I want to combine both routers into one. So I tried something like this (don't laugh):
Gi0/0 to FTTB (Dialer1 connects to Internet)
Gi0/1 to DSL (Public IP towards 877 demarc)
Tun0 attaches to Dialer1 public IP and connects to other spokes, no VRF
Tun1 attaches to Gi0/1 public IP and acts as DMVPN hub (ip nhrp map multicast dynamic) under VRF "Hub"
EIGRP AS 1 is set up twice, once under router eigrp 1, and the other using router eigrp 2 using an address-family under the Hub VRF.This kinda works but obviously Tun0 & Tun1 do not speak to each other. I also had to remove the ip nhrp map instruction that pointed to Hub1 on Tun0, as this was causing a weird condition in the router where it was repeatedly trying to connect a tunnel to itself, and crash the router because the NHRP process would go haywire. So my users must rely on the Hub2 to get a NHRP lookup for the PRI site. If Hub2 goes down, everything works in the network except for tunnel connections to the FTTB link. I'd rather not have to configure 2 tunnels on each spoke router unless I really have to.
View 2 Replies
View Related
